==== Advisory Text ===== The version of mumble shipped with Mageia 2 does not properly find and use the celt 0.7.1 library. This is the most common celt version and is required for communication with the Windows and OSX clients. This resulted in Mumble being able to connect fine, playback and record audio, appear as if everything is working perfectly, but then simply fail to play or send any audio. This updated version of the mumble fixes these errors. ==== Detailed Description ==== Our celt library has it's name mangled as per our library policy. Sadly, the code inside mumble to load the library dynamically then failed as it was not expecting any mangling of the base name of the library. A patch has been applied that fixes this and ensures that mumble uses the correct name of the libcelt library. In addition, as the library was not linked directly into mumble, no automatic requires were added on the package resulting in the possibility that mumble could be used without any codec libraries. To rectify this, a specific require has been added to ensure the 0.7.1 version is required, and the 0.11 version is suggested (only if all clients+server has 0.11 version will it be used, hence it is not a hard require). ==== Testing ==== Load mumble and connect to a server. Assuming you have both lib[64]celt0_2 and lib[64]celt071_0 already installed, doing (as root): "lsof | grep ^mumble| grep celt" would yield: mumble 18177 colin mem REG 252,0 94808 631816 /usr/lib64/libcelt0.so.2.0.0 ... i.e. only the 0.11 version was loaded. After the update the results would be: mumble 18294 colin mem REG 252,0 94808 631816 /usr/lib64/libcelt0.so.2.0.0 mumble 18294 colin mem REG 252,0 75944 646645 /usr/lib64/libcelt071.so.0.0.0 ... i.e. both the 0.7.1 and the 0.11 versions are loaded.
mumble-1.2.3-2.1.mga2 has been submitted to core/updates_testing for Mageia 2.
Assignee: bugsquad => qa-bugs
Blocks: (none) => 5921
Thanks Manuel for highlighting that this was already reported in #5921
Colin, please see Bug 6511 first. There is a security issue there. Fedora also fixed several other bugs in their update.
CC: (none) => luigiwalser, qa-bugsAssignee: qa-bugs => mageia
Blocks: (none) => 6511
Updating the advisory and assigning back to QA. See Comment 0 for more info. Advisory: ======================== Updated mumble packages fix security vulnerability: Mumble 1.2.3 and earlier uses world-readable permissions for .local/share/data/Mumble/.mumble.sqlite files in home directories, which might allow local users to obtain a cleartext password and configuration data by reading a file (CVE-2012-0863). Also, the version of mumble shipped with Mageia 2 does not properly find and use the celt 0.7.1 library. This is the most common celt version and is required for communication with the Windows and OSX clients. This resulted in Mumble being able to connect fine, playback nd record audio, appear as if everything is working perfectly, but then simply fail to play or send any audio. The updated packages fix these issues. References: http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-0863 http://www.debian.org/security/2012/dsa-2411 ======================== Updated packages in core/updates_testing: ======================== mumble-1.2.3-2.2.mga2 mumble-11x-1.2.3-2.2.mga2 mumble-protocol-kde4-1.2.3-2.2.mga2 mumble-plugins-1.2.3-2.2.mga2 mumble-server-1.2.3-2.2.mga2 from mumble-1.2.3-2.2.mga2.src.rpm
CC: qa-bugs => mageiaAssignee: mageia => qa-bugs
Summary: Mumble does not find the celt 0.7.1 library => Mumble does not find the celt 0.7.1 library [mga2]
Rebuild for Mageia 2 pending qt4 in updates_testing being fixed. See https://bugs.mageia.org/show_bug.cgi?id=6511#c11
It has been built now. Colin, does anything need to be added to the advisory? Packages built: mumble-1.2.3-2.2.2.mga2 mumble-11x-1.2.3-2.2.2.mga2 mumble-protocol-kde4-1.2.3-2.2.2.mga2 mumble-plugins-1.2.3-2.2.2.mga2 mumble-server-1.2.3-2.2.2.mga2 mumble-server-web-1.2.3-2.2.2.mga2 from mumble-1.2.3-2.2.2.mga2.src.rpm
David, you can mention in the advisory that the missing -web package for mga2 has been restored (I'm not sure how well it works in practice but it's likely better than nothing!). In both mga1 and mga2 the ICE support has been re-enabled. I've not really any clue what this is but it was needed for the weblist.php file.
Advisory: ======================== Updated mumble packages fix security vulnerability: Mumble 1.2.3 and earlier uses world-readable permissions for .local/share/data/Mumble/.mumble.sqlite files in home directories, which might allow local users to obtain a cleartext password and configuration data by reading a file (CVE-2012-0863). Additionally, the version of mumble shipped with Mageia 2 does not properly find and use the celt 0.7.1 library. This is the most common celt version and is required for communication with the Windows and OSX clients. This resulted in Mumble being able to connect fine, playback and record audio, appear as if everything is working perfectly, but then simply fail to play or send any audio. The updated packages fix these issues. Finally, the mumble-server-web package is being provided, as it was not provided initially with Mageia 2, and ICE support has been enabled. References: http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-0863 http://www.debian.org/security/2012/dsa-2411 ======================== Updated packages in core/updates_testing: ======================== mumble-1.2.3-2.2.2.mga2 mumble-11x-1.2.3-2.2.2.mga2 mumble-protocol-kde4-1.2.3-2.2.2.mga2 mumble-plugins-1.2.3-2.2.2.mga2 mumble-server-1.2.3-2.2.2.mga2 mumble-server-web-1.2.3-2.2.2.mga2 from mumble-1.2.3-2.2.2.mga2.src.rpm
On Mageia 2 i586: Once the two celt libraries libcelt0_2 and libcelt071_0 were installed, I installed all the mumble packages: mumble mumble-11x mumble-protocol-kde4 mumble-plugins mumble-server I started Mumble from command line. I could check that lsof | grep ^mumble| grep celt only yelds /usr/lib/libcelt0.so.2.0.0 I could confirm the security issue: ll -a .local/share/data/Mumble/Mumble/.mumble.sqlite - rw-r--r-- 1 malo malo 27648 Jul 26 17:07 .local/share/data/Mumble/Mumble/.mumble.sqlite Once I installed the packages from testing, ll -a .local/share/data/Mumble/Mumble/.mumble.sqlite - rw------- 1 malo malo 27648 Jul 26 17:17 .local/share/data/Mumble/Mumble/.mumble.sqlite and the celt thing is fixed. I don't know anything about mumble, but starting mumble and connecting to a server seems to work. As for mumble-server-web, when I go to http://localhost/cgi-bin/mumble-server/weblist.cgi, I get an error about a murmur service not available. So, except for the mumble-server-web thing, the update seems to fix the bugs. I'll wait for an answer about mumble-server-web.
CC: (none) => malo
Running murmur-user-wrapper once, then restarting the mumble-server-web allowed me to use mumble to connect to my own server, and see myself connected in the weblist page. Testing completed on Mageia 2 i586.
Whiteboard: (none) => MGA2-32-OK
Component: RPM Packages => Security
CC: (none) => stormiWhiteboard: MGA2-32-OK => has_procedure MGA2-32-OK
Testing x86_64
Before ------ # rpm -qa | grep lib64celt lib64celt071_0-0.7.1-1.mga2 lib64celt051_0-0.5.1.3-2.mga2 lib64celt0_2-0.11.1-1.mga2 $ mumble # lsof | grep ^mumble| grep celt mumble 13517 claire mem REG 8,1 92336 675782 /usr/lib64/libcelt0.so.2.0.0 mumble 13517 13533 claire mem REG 8,1 92336 675782 /usr/lib64/libcelt0.so.2.0.0 mumble 13517 13535 claire mem REG 8,1 92336 675782 /usr/lib64/libcelt0.so.2.0.0 mumble 13517 13542 claire mem REG 8,1 92336 675782 /usr/lib64/libcelt0.so.2.0.0 mumble 13517 13543 claire mem REG 8,1 92336 675782 /usr/lib64/libcelt0.so.2.0.0 $ ll -a .local/share/data/Mumble/Mumble/.mumble.sqlite -rw-r--r-- 1 claire claire 54272 Aug 1 12:23 .local/share/data/Mumble/Mumble/.mumble.sqlite After ----- $ ll -a .local/share/data/Mumble/Mumble/.mumble.sqlite -rw------- 1 claire claire 38912 Aug 1 12:26 .local/share/data/Mumble/Mumble/.mumble.sqlite # lsof | grep ^mumble| grep celt mumble 13925 claire mem REG 8,1 92336 675782 /usr/lib64/libcelt0.so.2.0.0 mumble 13925 claire mem REG 8,1 75944 580659 /usr/lib64/libcelt071.so.0.0.0 mumble 13925 13927 claire mem REG 8,1 92336 675782 /usr/lib64/libcelt0.so.2.0.0 mumble 13925 13927 claire mem REG 8,1 75944 580659 /usr/lib64/libcelt071.so.0.0.0 mumble 13925 13928 claire mem REG 8,1 92336 675782 /usr/lib64/libcelt0.so.2.0.0 mumble 13925 13928 claire mem REG 8,1 75944 580659 /usr/lib64/libcelt071.so.0.0.0 mumble 13925 13930 claire mem REG 8,1 92336 675782 /usr/lib64/libcelt0.so.2.0.0 mumble 13925 13930 claire mem REG 8,1 75944 580659 /usr/lib64/libcelt071.so.0.0.0 etc. Seems to be using mixed lib versions now. I'll test the server and try to connect to it in a moment.
Apache will not start with mumble-server-web installed. From /var/log/httpd/error.log.. [Wed Aug 01 12:48:53 2012] [notice] core dump file size limit raised to 18446744073709551615 bytes [Wed Aug 01 12:48:54 2012] [notice] Digest: generating secret for digest authentication ... [Wed Aug 01 12:48:54 2012] [notice] Digest: done /usr/share/slice/Murmur.ice:9: error: Can't open include file "Ice/SliceChecksumDict.ice" #include <Ice/SliceChecksumDict.ice> 1 error in preprocessor. PHP Fatal error: Unable to start ice module in Unknown on line 0
It did install ice as a dependency.. # urpmi mumble-server-web In order to satisfy the 'mail-server' dependency, one of the following packages is needed: 1- postfix-2.8.8-1.mga2.x86_64: Postfix Mail Transport Agent (to install) 2- sendmail-8.14.5-2.mga2.x86_64: A widely used Mail Transport Agent (MTA) (to install) What is your choice? (1-2) 2 To satisfy dependencies, the following packages are going to be installed: Package Version Release Arch (medium "Core Release") cyrus-sasl 2.1.23 19.mga2 x86_64 ice 3.3.1 5.mga2 x86_64 perl-CGI-Session 4.480.0 1.mga2 noarch perl-HTML-Template 2.900.0 1.mga1 noarch perl-Image-Magick 6.7.5.10 2.mga2 x86_64 perl-Net-DNS 0.680.0 1.mga2 x86_64 php-ice 3.3.1 5.mga2 x86_64 sendmail 8.14.5 2.mga2 x86_64 (medium "Core Updates Testing") mumble-server-web 1.2.3 2.2.2.mga2 x86_64 14MB of additional disk space will be used. 3.2MB of packages will be retrieved. Proceed with the installation of the 9 packages? (Y/n) y Maybe some more information towards the end here.. http://sourceforge.net/tracker/index.php?func=detail&aid=3009456&group_id=147372&atid=768005
If I change the #include line in /usr/share/slice/Murmur.ice from #include <Ice/SliceChecksumDict.ice> to #include </usr/share/ice/slice/Ice/SliceChecksumDict.ice> apache starts fine and I can access the url: http://localhost/cgi-bin/mumble-server/weblist.cgi and see Server #1 total: 0
I can also add server localhost in mumble and connect to it. Colin this seems a simple fix for mumble-server, could you have another look at it please? Thanks!
Hardware: i586 => AllWhiteboard: has_procedure MGA2-32-OK => has_procedure feedback MGA2-32-OK
Testes on x86_64, I confirm Claire's tests. After: ------- # rpm -qa | grep lib64celt lib64celt071_0-0.7.1-1.mga2 lib64celt0_2-0.11.1-1.mga2 lib64celt051_0-0.5.1.3-2.mga2 # lsof | grep ^mumble| grep celt mumble 10759 stefano mem REG 8,1 92336 411331 /usr/lib64/libcelt0.so.2.0.0 mumble 10759 stefano mem REG 8,1 75944 452206 /usr/lib64/libcelt071.so.0.0.0 mumble 10759 10763 stefano mem REG 8,1 92336 411331 /usr/lib64/libcelt0.so.2.0.0 mumble 10759 10763 stefano mem REG 8,1 75944 452206 /usr/lib64/libcelt071.so.0.0.0 mumble 10759 10764 stefano mem REG 8,1 92336 Test connection to a server : Ok, It works. # ll -a .local/share/data/Mumble/Mumble/.mumble.sqlite -rw------- 1 stefano stefano 27648 ago 3 12:10 .local/share/data/Mumble/Mumble/.mumble.sqlite The web-server test going to page http://localhost/cgi-bin/mumble-server/weblist.cgi Server #1 total: 0 Webserver is going well without any workaround. Bye Stefano
CC: (none) => stblackWhiteboard: has_procedure feedback MGA2-32-OK => has_procedure feedback MGA2-32-OK, MGA2-64-OK
(In reply to comment #17) > Webserver is going well without any workaround. > > Bye > Stefano That's strange. What is the output from : rpm -qa | grep mumble rpm -qa | grep "\bice\b"
Confirming what Clair found on Mageia 2 x86-64, From /var/log/httpd/error_log [Mon Aug 13 20:51:35 2012] [notice] Digest: done /usr/share/slice/Murmur.ice:9: error: Can't open include file "Ice/SliceChecksumDict.ice" #include <Ice/SliceChecksumDict.ice> 1 error in preprocessor. PHP Fatal error: Unable to start ice module in Unknown on line 0
CC: (none) => davidwhodgins
mumble-1.2.3-2.3.mga2 should fix the php-ice pb. Please check if you get the following message in apache logs after installing murmur-server-web and restarting apache: If so, then I'll have to add another patch.
Whiteboard: has_procedure feedback MGA2-32-OK, MGA2-64-OK => has_procedure
Thanks Samuel. Updating the advisory. Advisory: ======================== Updated mumble packages fix security vulnerability: Mumble 1.2.3 and earlier uses world-readable permissions for .local/share/data/Mumble/.mumble.sqlite files in home directories, which might allow local users to obtain a cleartext password and configuration data by reading a file (CVE-2012-0863). Additionally, the version of mumble shipped with Mageia 2 does not properly find and use the celt 0.7.1 library. This is the most common celt version and is required for communication with the Windows and OSX clients. This resulted in Mumble being able to connect fine, playback and record audio, appear as if everything is working perfectly, but then simply fail to play or send any audio. The updated packages fix these issues. Finally, the mumble-server-web package is being provided, as it was not provided initially with Mageia 2, and ICE support has been enabled. References: http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-0863 http://www.debian.org/security/2012/dsa-2411 ======================== Updated packages in core/updates_testing: ======================== mumble-1.2.3-2.2.3.mga2 mumble-11x-1.2.3-2.2.3.mga2 mumble-protocol-kde4-1.2.3-2.2.3.mga2 mumble-plugins-1.2.3-2.2.3.mga2 mumble-server-1.2.3-2.2.3.mga2 mumble-server-web-1.2.3-2.2.3.mga2 from mumble-1.2.3-2.2.3.mga2.src.rpm
I've just started looking at how to test this one, now that httpd starts ok with the update. $ murmur-user-wrapper -i Creating /home/dave/murmur/murmur.ini Could not find template for murmur.ini in /usr/share/doc/mumble-server/examples. I manualy copied /usr/share/doc/mumble-server/murmur.ini to ~/murmur, after which murmur-user-wrapper starts the private server, and murmur-user-wrapper -k stops it ok. $ grep emailfrom /etc/mumble-server.ini emailfrom =dave@x2v.hodgins.homeip.net The postfix server is running, and I can send mail, but when I go to http://localhost/cgi-bin/mumble-server/register.cgi enter the same email address, and select register, a message pops up at the top with "And how am I supposed to send email there?". I've setup my own dns server ... $ host x2v.hodgins.homeip.net x2v.hodgins.homeip.net has address 192.168.10.106 $ host 192.168.10.106 106.10.168.192.in-addr.arpa domain name pointer x2v.hodgins.homeip.net. In /var/log/mumble-server/mumble-server.log there is a message ... Registration: No DNS records found: Source-based callback failed. Server not reachable. # rpm -q -a|grep celt lib64celt0_2-0.11.1-1.mga2 libcelt0_2-0.11.1-1.mga2 Should it be installing the other celt libraries? Suggestions?
Whiteboard: has_procedure => has_procedure feedback
I can't answer, I only tried to fix the Ice problem. I suppose the email issue is not a regression, if so I'd still validate, unless Colin sees what the problem is. About the celt libs I'll let Colin answer :)
It probably should install at least the 0.7.1 version of the celt libs as this is the most commonly used (see the initial advisory text in the initial comment), so IMO this should be made a require. No idea about the mail/DNS stuff. My only guess would be something to do with chroots and not properly propagating /etc/resolv.conf changes, but it seems a bit unlikely for such a daemon to do that.
Whiteboard: has_procedure feedback => has_procedure
Ping colin. Did you add the require you mentioned colin? If you are short of time at the moment we can create a new bug report for that and test and validate this security update. It has been in testing for a while now. Please let us know. Thanks :)
Sorry Claire. Got a massive backlog. Going to try and clear some of it tonight :) As for this issue, it seems there *is* are require already. From the spec: # (cg) The celt libraries are loaded dynamically but we need at least 0.7.1 to # be compatible with the Windows and OSX clients # The 0.11 version can work if the clients (and presumably the server) all # support it. # Using mklibname is not ideal but it's the easiest option for now Requires: %{mklibname celt 071 0} Suggests: %{mklibname celt 0 2} And indeed testing it on my mga2 machine: [colin@marley ~]$ sudo urpmi --searchmedia CoreUpdatesTesting-64 mumble To satisfy dependencies, the following packages are going to be installed: Package Version Release Arch (medium "CoreRelease-64") espeak 1.46.02 1.mga2 x86_64 (suggested) g15daemon 1.9.5.3 7.mga1 x86_64 lib64celt071_0 0.7.1 1.mga2 x86_64 lib64dotconf0 1.3 1.mga2 x86_64 (suggested) lib64espeak1 1.46.02 1.mga2 x86_64 (suggested) lib64g15_1 1.2.7 3.mga2 x86_64 lib64g15daemon_client1 1.9.5.3 7.mga1 x86_64 lib64g15render1 1.2 8.mga1 x86_64 lib64protobuf6 2.4.1 1.mga2 x86_64 lib64speechd2 0.7.1 3.mga2 x86_64 perl-Inline 0.500.0 1.mga2 x86_64 speech-dispatcher 0.7.1 3.mga2 x86_64 (suggested) (medium "CoreUpdates-64") qt4-database-plugin-sqlite 4.8.2 1.3.mga2 x86_64 (medium "CoreUpdatesTesting-64") mumble 1.2.3 2.3.mga2 x86_64 mumble-plugins 1.2.3 2.3.mga2 x86_64 10MB of additional disk space will be used. 4.1MB of packages will be retrieved. Proceed with the installation of the 15 packages? (Y/n) So indeed lib64celt071_0 is pulled in. So I'm not quite sure how Dave got the results he did in comment 22 :s I'd be tempted to just push this one as is. At least it gets it out there and if there are more problems we can sort them later.
Testing complete Mageia 2 i586 and x86-64. Could someone from the sysadmin team push the srpm mumble-1.2.3-2.2.3.mga2.src.rpm from Mageia 2 Core Updates Testing to Core Updates and link the following packages from Core Release to Core Updates lib64celt071_0-0.7.1-1.mga2 (Core Release) lib64dbcxx4.8-4.8.30-8.mga2 (Core Release) lib64ice33-3.3.1-5.mga2 (Core Release) lib64mcpp0-2.7.2-2.mga1 (Core Release) Advisory: Updated mumble packages fix security vulnerability: Mumble 1.2.3 and earlier uses world-readable permissions for .local/share/data/Mumble/.mumble.sqlite files in home directories, which might allow local users to obtain a cleartext password and configuration data by reading a file (CVE-2012-0863). Additionally, the version of mumble shipped with Mageia 2 does not properly find and use the celt 0.7.1 library. This is the most common celt version and is required for communication with the Windows and OSX clients. This resulted in Mumble being able to connect fine, playback and record audio, appear as if everything is working perfectly, but then simply fail to play or send any audio. The updated packages fix these issues. Finally, the mumble-server-web package is being provided, as it was not provided initially with Mageia 2, and ICE support has been enabled. References: http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-0863 http://www.debian.org/security/2012/dsa-2411 ======================== https://bugs.mageia.org/show_bug.cgi?id=6581
Keywords: (none) => validated_updateCC: (none) => sysadmin-bugsWhiteboard: has_procedure => has_procedure MGA2-32-OK MGA2-64-OK
Depends on: (none) => 2317
Packages linked and Update pushed: https://wiki.mageia.org/en/Support/Advisories/MGASA-2012-0248
Status: NEW => RESOLVEDCC: (none) => tmbResolution: (none) => FIXED